<?php
/*
   See wiki for explanation
   http://code.google.com/p/vulnerable-scripts/wiki/PHPsqlInjection
*/

   $id   = $_GET['id'];
   
   // Mysql-connection is already opened...
   
   mysql_query('SELECT * FROM `users` WHERE id='. $id .' AND admin = \'0\'');
   
   while($row = mysql_fetch_array($result))
   {
      foreach($row as $val)
      {
         echo $val;
      }
   }
   
?>